FCKEditor and current vulnerability exploited in the Wild

Please use the contact form to send us a message about discovered vulnerabilites.
Whenever security issues are fixed, they are mentioned here: http://www.fckeditor.net/whatsnew.

fcksecurity wrote:
Currently attacks occurs using a vulnerabiliy in a vulnerable FCKEditor version of filemanager, as shipped with some ColdFusion servers:
http://isc.sans.org/diary.html?storyid=6715

The problem is in the application that is distributed with FCKeditor with file browser being enabled by default. We can't do much with that.
If you download FCKeditor from our website, the file browser is disabled, you should read configuration file carefully and enable it only to authenticated users.

The vulnerability is about sending a PHP file (as test.php) BUT using a ZIP header as the beginning of the file to bypass the security check, and after put the PHP (or ASP, CFM) code in the file. In this case, the PHP (or ASP, CFM) is evaluated on the server.

This vulnerability is known since October 2008:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-6178
http://www.securityfocus.com/bid/31812/info

This is yet another example of vulnerability introduced in another application.
FCKeditor does not try to detect the mime type of a file, the extension check is based on the file name (extension).

- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?

Yes, open fckeditor\editor\filemanager\connectors\config.ext and make sure that enabled is set to true only for users that should have access to it.

fcksecurity wrote:

- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?

Yes, open fckeditor\editor\filemanager\connectors\config.ext and make sure that enabled is set to true only for users that should have access to it.

Thank you for the tip, this is an interesting workaround waiting for the new FCKEditor version.

Excuse me, but that's not a workaround.
That's a must if you want to keep control of your server.
If you allow anyone to upload files to your server, then you are just waiting for another exploit to happen and then you'll cry again at that time.

For an attack to succeed all the defenses must fail, so as long as we try to cover all the possible weak points we can be protected against a single exploit.

This is my personal opinion, and I'm not any kind of security expert:
1. Security by obscurity: if you place the FCKeditor in another folder, then you are avoiding any automated script that checks the root of the server for /fckeditor/. This is no security by itself, but it will take your server out of a massive attack that only looks at certain locations, it might give you some extra time if such an attack happens.
I repeat: this is only a step to delay slightly the attack against your server, it's not a real security measure.

2. Remove any unused files and scripts.
If you delete it, it can't be used by an attacker.

3. With regards to the file browser, you must verify that the connector is enabled only for those user that must have access to it. This same advice is available in all the config.ext files.
Failing to do so means that anyone can upload files to your server. It's not a big security risk by itself, but this is an open door that can be used together with some other attack.

4. Don't allow any kind of file to be uploaded. Be careful if you change the allowed and denied extensions

5. Restrict the ability to run scripts in the "userfiles" folder. Even if an attacker is able to somehow upload a script to your server, if he can't run it then it's worthless to him. As an example, this script for CKFinder tries to detect if the server is properly configured, and the last checks are to verify this point. Currently there's only the asp version, and as I said, it's only for CKFinder, not for the default FCKeditor file manager, but I don't have enough time to implement all the ideas, so expanding it to other targets it's not feasible for me.
In IIS you must change the permissions of the folder with the control panel (in a way similar to how you set the write permissions), it might depend on your ISP the exact interface.
For Apache you can use .htaccess if I'm not mistaken, I don't know about other servers, but it would be nice to have a common doc to explain how to restrict this ability.

6. Stay updated. Some of those linked advisories talked about products using FCKeditor 2.2 and 2.4. There are lots of changes between those versions and the latest one. Not so many about the file manager, but everynow and then there's a little adjustment there, some weak point that it's being protected and although it might not be marked as "warning, this is a huge security risk", it might be something that later is found that can be used to attack a system.

If you follow all these advices, it would be quite hard for a random attacker to succeed. I won't claim that anything is perfect but all the attacks against FCKeditor that I've read so far are against the file manager, and they start by failing to protect the third step. They leave the filemanager enabled for everyone because they don't know a minimum of server programing to protect them, so they just leave them enabled. (some people think that the filemanager\connectors\test.html and filemanager\connectors\uploadtest.html are security risk because they find that they allow to upload files without understanding that the only problem is how they have configured the connector)
Writing a login page is easy, relying only on security by obscurity, hoping that an attacker won't find your server is bound to fail.

Of the steps outlined by alfonsoml, our setup already follows 1-5 however we have not yet upgraded to 2.6.4.1. We are currently running 2.6.4.

That being the case, does the security issue still exist if the file browser is enabled in config.ext yet LinkUpload, ImageUpload and FlashUpload are all disabled in fckconfig.js?

Thanks

An attacker won't care about your fckconfig.js, that's just client side code to hide the browse or upload buttons so your users don't have bad expectations, it isn't related to the security at all.
They will go directly against your connector, and if you have left it enabled for everyone, then you are running a high risk.